Advertisement

Advertisement

Why Obama’s cyber sanctions won’t deter digital crime

By Hal Hodson

Cybercrooks beware&colon; Obama is coming for you. The US president declared a national state of emergency over cybercrime at the start of April, promising to use the “authorities of my office” to track down and punish malicious hackers that threaten the country. Unfortunately, it seems the plan may be doomed to fail.

The order is meant to give the government power to punish people or organisations who attack US infrastructure over the internet. The perennial bogeyman of foreign hackers that steal American intellectual property are right in the crosshairs.

In the Executive Order that accompanied the declaration of emergency, Obama gave the US Secretary of the Treasury the authority to “impose sanctions on individuals or entities that engage in malicious cyber-enabled activities”.

Any person or group that helps a cybercriminal, even if just providing “technological support”, can now have all their US assets frozen on a whim of a cabinet member.

Advertisement

But there’s a glaring problem with the plan&colon; unless the individuals or entities Obama plans to catch are incompetent, it will be practically impossible to pin an online attack on them, says cybersecurity analyst Jeffrey Carr.

Cyber carrot and stick

Forensic scientists can trace the computers that incoming malicious connections came from, but they will still have no idea who controlled the computer.

Any clever attacker will hide their tracks, and it would take an exceptionally stupid one to launch an attack from a computer in their own basement, he says.

“Going after the attackers is a failed policy,” says Carr. “It will never work. You have to strengthen your defences. You have to worry about keeping your data protected.”

Carr says the focus should be on creating incentives for companies to more safely store the data they hold, both their own and their customers’.

“We have to focus on providing a carrot and a stick for US companies to better protect their valuable intellectual property,” he says. “You need incentives for companies to spend the money on encryption at rest and in transit, and you need penalties for companies that don’t.”

Beyond being ineffective, Obama’s order risks doing real harm by legitimising US government action against any online activity with which it disagrees.

“I think something like this could be abused,” says Carr. “If you were called out as a target and your assets were frozen, you have to fight that in court against the US government. Who has the ability to do that?”